A vulnerability has been discovered in a 3rd-party toolkit used by XProtect products.
The Genivia gSOAP Toolkit is used in XProtect Device Packs to facilitate ONVIF device support. In systems using versions 2.7 to 2.8.47 of the gSOAP Toolkit, it may be possible to inject code or trigger a malfunction by passing a specially crafted XML message over 2 GB in size.
XProtect systems using Device Pack versions 9.2 and earlier are affected.
The risk of exploitation will be significantly reduced when following the best practices described in the Milestone Systems XProtect VMS Hardening Guide.
The gSOAP Toolkit (2.8.48) used in the upcoming Device Pack 9.3 is not affected by this issue. For more information check the following resources: